From 34adbeb30672ab3b7256ab96246717c6e1b748ad Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Mon, 15 Feb 2010 16:07:02 +0000 Subject: [PATCH] - obsolete dnssec-conf - automatically update configuration from old dnssec-conf based - improve default configuration; enable DLV by default - remove obsolete triggerpostun from bind-libs subpackage --- .cvsignore | 2 +- bind.spec | 45 +++++++++++++++++++++--------------- bind97-managed-keyfile.patch | 20 ++++++++++++++++ named.conf.sample | 3 +++ named.init | 7 +----- named.sysconfig | 1 + sources | 2 +- 7 files changed, 53 insertions(+), 27 deletions(-) create mode 100644 bind97-managed-keyfile.patch diff --git a/.cvsignore b/.cvsignore index 0ad34d1..8ca3bf5 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -config-5.tar.bz2 bind-9.7.0rc2.tar.gz +config-6.tar.bz2 diff --git a/bind.spec b/bind.spec index 5a1844e..6bab9e2 100644 --- a/bind.spec +++ b/bind.spec @@ -20,7 +20,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.7.0 -Release: 0.13.%{PREVER}%{?dist} +Release: 0.14.%{PREVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -37,7 +37,7 @@ Source8: dnszone.schema Source12: README.sdb_pgsql Source21: Copyright.caching-nameserver Source25: named.conf.sample -Source28: config-5.tar.bz2 +Source28: config-6.tar.bz2 Source30: ldap2zone.c # Common patches @@ -52,6 +52,7 @@ Patch101:bind-96-old-api.patch Patch102:bind-95-rh452060.patch Patch106:bind93-rh490837.patch Patch107:bind97-dist-pkcs11.patch +Patch108:bind97-managed-keyfile.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -73,9 +74,12 @@ Requires: mktemp Requires(post): grep, chkconfig Requires(pre): shadow-utils Requires(preun):chkconfig -Requires: dnssec-conf -Obsoletes: bind-config < 30:9.3.2-34.fc6, caching-nameserver < 31:9.4.1-7.fc8 -Provides: bind-config = 30:9.3.2-34.fc6, caching-nameserver = 31:9.4.1-7.fc8 +Obsoletes: bind-config < 30:9.3.2-34.fc6 +Provides: bind-config = 30:9.3.2-34.fc6 +Obsoletes: caching-nameserver < 31:9.4.1-7.fc8 +Provides: caching-nameserver = 31:9.4.1-7.fc8 +Obsoletes: dnssec-conf < 1.22-6 +Provides: dnssec-conf = 1.22-5 BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn-devel, libxml2-devel %if %{SDB} @@ -180,6 +184,7 @@ Based on the code from Jan "Yenya" Kasprzak %patch10 -p1 -b .PIE %patch16 -p1 -b .redhat_doc %patch104 -p1 -b .dyndb +%patch108 -p1 -b .managed-keyfile %if %{SDB} %patch101 -p1 -b .old-api mkdir bin/named-sdb @@ -362,6 +367,7 @@ tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28} touch ${RPM_BUILD_ROOT}/etc/rndc.key touch ${RPM_BUILD_ROOT}/etc/rndc.conf mkdir ${RPM_BUILD_ROOT}/etc/named +install -m 644 bind.keys ${RPM_BUILD_ROOT}/etc/named.iscdlv.key install -m 644 %{SOURCE5} ./rfc1912.txt install -m 644 %{SOURCE21} ./Copyright @@ -397,14 +403,6 @@ if [ "$1" -eq 1 ]; then # rndc.key has to have correct perms and ownership, CVE-2007-6283 [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key - - # Check DNSSEC settings if this is a fresh install - if [ -r /etc/sysconfig/dnssec ]; then - . /etc/sysconfig/dnssec - [ -x /usr/sbin/dnssec-configure ] && \ - dnssec-configure -b --norestart --dnssec="$DNSSEC" --dlv="$DLV" > \ - /dev/null 2>&1 - fi; fi :; @@ -442,12 +440,14 @@ fi %postun libs /sbin/ldconfig -# bind-libs between 32:9.6.1-0.1.b1 and 32:9.6.1-0.4.rc1 have bigger SOnames -# than current bind - https://bugzilla.redhat.com/show_bug.cgi?id=509635. -# Remove this trigger when SOnames get bigger and also correct the %%postun -# section above (use %%postun libs -p /sbin/ldconfig) -%triggerpostun -n bind-libs -p /bin/bash -- bind-libs > 32:9.6.1-0.1.b1 -/sbin/ldconfig +# Automatically update configuration from "dnssec-conf-based" to "BIND-based" +%triggerpostun -n bind -- dnssec-conf +[ -r '/etc/named.conf' ] || exit 0 +cp -fp /etc/named.conf /etc/named.conf.rpmsave +if grep -Eq '/etc/(named.dnssec.keys|pki/dnssec-keys)' /etc/named.conf; then + sed -i -e '/.*named\.dnssec\.keys.*/d' -e '/.*pki\/dnssec-keys.*/d' \ + /etc/named.conf +fi %post chroot if [ "$1" -gt 0 ]; then @@ -483,6 +483,7 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(-,root,root,-) %{_libdir}/bind %config(noreplace) %{_sysconfdir}/sysconfig/named +%config(noreplace) %attr(-,root,named) %{_sysconfdir}/named.iscdlv.key %{_sysconfdir}/rc.d/init.d/named %{_sysconfdir}/NetworkManager/dispatcher.d/13-named %{_sbindir}/arpaname @@ -623,6 +624,12 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Mon Feb 15 2010 Adam Tkac 32:9.7.0-0.14.rc2 +- obsolete dnssec-conf +- automatically update configuration from old dnssec-conf based +- improve default configuration; enable DLV by default +- remove obsolete triggerpostun from bind-libs subpackage + * Thu Jan 28 2010 Adam Tkac 32:9.7.0-0.13.rc2 - update to 9.7.0rc2 diff --git a/bind97-managed-keyfile.patch b/bind97-managed-keyfile.patch new file mode 100644 index 0000000..3bd86f2 --- /dev/null +++ b/bind97-managed-keyfile.patch @@ -0,0 +1,20 @@ +diff -up bind-9.7.0rc2/bin/named/server.c.managed-keyfile bind-9.7.0rc2/bin/named/server.c +--- bind-9.7.0rc2/bin/named/server.c.managed-keyfile 2010-02-15 16:17:26.051369348 +0100 ++++ bind-9.7.0rc2/bin/named/server.c 2010-02-15 16:24:16.408368990 +0100 +@@ -3020,6 +3020,7 @@ configure_zone(const cfg_obj_t *config, + */ + + #define KEYZONE "managed-keys.bind" ++#define KEYFILE "dynamic/managed-keys.bind" + + static isc_result_t + add_keydata_zone(dns_view_t *view, isc_mem_t *mctx) { +@@ -3040,7 +3041,7 @@ add_keydata_zone(dns_view_t *view, isc_m + CHECK(dns_zone_setorigin(zone, &zname)); + dns_name_free(&zname, mctx); + +- CHECK(dns_zone_setfile(zone, KEYZONE)); ++ CHECK(dns_zone_setfile(zone, KEYFILE)); + + if (view->hints == NULL) + dns_view_sethints(view, ns_g_server->in_roothints); diff --git a/named.conf.sample b/named.conf.sample index d02efc4..659fdc9 100644 --- a/named.conf.sample +++ b/named.conf.sample @@ -57,6 +57,9 @@ options /* Enable DNSSEC validation on recursive servers */ dnssec-validation yes; + + /* Enable DLV by default, use built-in ISC DLV key. */ + dnssec-lookaside auto; }; logging diff --git a/named.init b/named.init index 0394900..ce5c745 100755 --- a/named.init +++ b/named.init @@ -22,7 +22,6 @@ . /etc/rc.d/init.d/functions [ -r /etc/sysconfig/named ] && . /etc/sysconfig/named -[ -r /etc/sysconfig/dnssec ] && . /etc/sysconfig/dnssec RETVAL=0 export KRB5_KTNAME=${KEYTAB_FILE:-/etc/named.keytab} @@ -43,13 +42,9 @@ if [ -n "$ROOTDIR" ]; then fi; fi -[ -x /usr/sbin/dnssec-configure ] && [ -r /etc/named.conf ] && \ - [ /etc/sysconfig/dnssec -nt /etc/named.conf ] && \ - /usr/sbin/dnssec-configure -b --norestart --dnssec="$DNSSEC" --dlv="$DLV" - ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key -/usr/lib64/bind /usr/lib/bind' +/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key' mount_chroot_conf() { diff --git a/named.sysconfig b/named.sysconfig index 53b6a1b..671621d 100644 --- a/named.sysconfig +++ b/named.sysconfig @@ -22,6 +22,7 @@ # - /etc/rndc.key # - /etc/named.rfc1912.zones # - /etc/named.dnssec.keys +# - /etc/named.iscdlv.key # # Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" # line to your /etc/rsyslog.conf file. Otherwise your logging becomes diff --git a/sources b/sources index 18e6f3c..8e8f30f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -4c35a2aac8d8054ea2154906bf57fb52 config-5.tar.bz2 9b8a31ac279868264e5bcbacd7991149 bind-9.7.0rc2.tar.gz +90bd7f32fd5717b8294313b6b5ccc742 config-6.tar.bz2